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Elliptic curve cryptography (ECC) remains the best approach to asymmetric 
cryptography when it comes to securing communication among 
communication partners in low-computing devices such as wireless sensor 
networks (WSN) and the Internet of Things (IoT) due to its effectiveness in 
generating small keys with a strong encryption mechanism. The ECC cuts 
down on power use and improves device performance, so it can be used in a 
wide range of devices that don't have a lot of resources. However, most of 
the existing ECC implementations suffer from implementation flaws that 
make them vulnerable to cryptanalysis attacks. In this study, flaws in the 
existing implementation of ECC are identified. A new scheme where the 
identified flaws are remedied was developed. The results of the security 
analysis show that the new scheme is an indistinguishable authenticated 
adaptive chosen ciphertext attack (IND-CCA3), resistant to malleability and 
man-in-the-middle attacks (MIMA). The results of comparative security 
analysis show that the mapping scheme employed in the new scheme maps 
any blocks of plaintext to distinct points on an elliptic curve, which makes it 
resistant to all attacks that the existing schemes are vulnerable to without 
having a negative effect on its encryption and decryption time, throughput, 
or power consumption. 
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1. INTRODUCTION 


Elliptic-curve cryptography (ECC) has been described as the most important tool in modern 
cryptography [1]. This applauding statement was due to the fact that the world is increasingly moving 
towards the use of resource-constrained applications where computational speed, storage, and bandwidth are 
limited [2]. With ECC, public key encryption, digital signatures, non-interactive key exchange, and a host of 
other security features are possible. ECC offers these security features with high speed, small space 
consumption, and bandwidth savings. These outstanding characteristics make ECC suitable for security 
applications in IoT devices [3]. These characteristics also explain why ECC is becoming more popular for 
security purposes [4] than its counterpart public key cryptography algorithms such as Rivest, Shamir 
Addleman (RSA), Diffie Helman (DH), and digital signature algorithm (DSA), particularly on resource- 
constrained devices such as wireless sensor networks (WSN), radio frequency identification (RFID), and the 
Internet of Things (IoT) [5]. ECC can use elliptic curves to implement cryptography algorithms based on 
discrete logarithm problems and ElGamal algorithms in an efficient way [6], [7]. 
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Elliptic curve random generator has been defined by National Institute of Standard and Technology 
(NIST) as a method of grouping random digits based on curves [8]. Unlike other cryptosystems that encrypt 
and decrypt messages directly, be it text or image, elliptic curve cryptosystem (ECC) is capable of encrypting 
and decrypting only points on the elliptic curves [7]. Since ECC can only encrypt/decrypt point on an elliptic 
curve, cryptographers who use ECC must find a way of converting the message to be encrypted or decrypted 
to points on an elliptic curve. This process of converting message to point on an elliptic curve is known as 
mapping. Moreover, to retrieve the actual message when a point on the elliptic curve is decrypted, it requires 
that the point be converted back to messages. The process of converting points on an elliptic curve to 
message is called reverse mapping [6]. 

The major problem of the existing implementation of ECC such as [7], [9]-[11], is that, many of 
them failed to adhere to the guidelines given by [6] for a good message mapping and reverse mapping [12]. 
Also noticed that most of the existing systems such as [13]-[15], and [16] that claimed to have used ECC for 
securing plaintext failed to give the detail of how the plaintext were encoded into numerical values for use in 
ECC’s mapping phase. In addition, the authenticated ECC encryption scheme proposed by [12] has security 
flaws which make the scheme vulnerable to cryptanalysis attacks. In this paper, security flaws in [12] are 
identified. A new scheme which removes the flaws is proposed. Security, comparative security, and 
comparative performance analysis of the proposed scheme are carried out on the proposed system. 

The rest of this paper is organized: section 2 gives the overview of ECC. In section 3, review of the 
related works is dealt with. The methodology where the details of how identified problem was solved is given 
in section 4. Results and discussions on the results are given in section 5 while conclusion and 
recommendation are given in section 6. 


2. OVERVIEW OF ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 

The idea of using elliptic curve in cryptography was first introduced by [17] in 1987. Nowadays, 
ECC is widely applied for securing data on devices in resource constrained environment such as IoT and 
WSN devices [12]. This suitability of ECC in resource starve devices stems from the fact that ECC provides 
equal security for lesser key bit size than RSA [18] as shown by the comparison of the key sizes in Table 1. 
As a result, ECC supports low computation device capabilities, enabling them to perform more effectively 


[4]. 


Table 1. Comparison of ECC and RSA key sizes [3] 


Key Size of ECC (Bits) Key size of RSA (Bits) Ratio (Bits) 
106 512 1:4 
132 768 1:5, 
160 1024 1:6 
224 2048 1:9 
256 3072 1:12 
384 7680 1:20 
512 16380 1:30 


ECC is based on the algebraic structure of elliptic curves over finite fields and the difficulty in 
solving the elliptic curve discrete logarithm problem (ECDLP). ECDLP deals with the problem of calculating 
the number of steps or hops it takes to move from one point to another point on the elliptic curve [19]. In 
mathematics, elliptic curves are described by (1) 


Axe+Bx*?y4+Cxy+Dy+Ex?+Fxyt+Gy+Hxt+ly+J=0, (1) 


While the type of elliptic curve that is being used in cryptography is a simplified form (Weierstras form), 
which is defined by (2): 


yr=xit+axtb (2) 


The type of elliptic curves used by ECC are those elliptic curves in which the variables and 
coefficients are restricted to elements of a finite field. The two families of elliptic curves defined for use in 
cryptography are: prime curves defined over odd prime field F,, (where the field size p >3) and binary curves 
defined over Galois field GF(2™) (where the field size p = 2™) [7]. The operations on elliptical curves in 
cryptography are point addition, point multiplication and point doubling [20]-[22]. The pictorial 
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representation of point addition where two distinct points P and Q are added together is shown in Figure 1 (a). 
Figure 1(b) shows the pictorial representation of point doubling. Point doubling occurs when two points P 
and Q where P= Q are to be added together. The addition of two points P and Q where P= Q= 0 isi infinity as 
depicted in Figure 1(c). The addition of two mirror point ie P= -Q is infinity as shown in Figure 1(d). 
Equation (3) holds for all instances of (a) — (d) in Figure 1. 


Figure 1. Pictorial representation of operations in ECC [23]; (a) Point addition; (b) Point doubling; 


(c) Point at infinity when y coordinates are both 0; and (d) Point at infinity when the coordinates are mirror 


image of each other 


oo, ifx, = x2 andy, = —y2, OR x, = x, and y, = yz = 0 
_ _ P, if Q=0 
R=P+Q= 0: if Pse@ (3) 
(x3, 3), otherwise 
where 
- a ae cate if P#+Q 
3 72-24, if P=Q 
y3 = AQ — x3) — V1 
and 


Y2— V1 


, [ P + 
7 if P#+Q 
: 3x,2 +a if P= 0 
——_, l = 
2y4 


2.1. Scalar multiplication 


Let P be a random point on the elliptic curve. The operation of multiplication over P is done by the 


repetitive addition. To achieve encryption and decryption using ECC, k|P| plays a vital role as in 
exponentiation operation. k[P]= P + P + P +---+P times i.e, 5P = P+P+P+P+P (additions). Point doubling can 
be used to reduce the number of additions. 

P+P=2P(Doubling) 

2P+2P=4P(Doubling) 

4P+P=5P(addition) 


2.2. Domain parameters for elliptic curves cryptosystem and their derivations 


To use ECC, all parties involved have to agree on all basic elements concerning the elliptic curve E 


being used. In general the domain parameters for ECC algorithm is a sextuple given by (p,a,b,G,n,h) where 


p is prime that specifies the size of the finite field. 

a and b are the coefficients of the elliptic curve (2) - y? = x3 + ax + b. 

G is the base point that generates the subgroup of the elliptic curve whose order is a large prime. 

n is the order (number of points) of the subgroup. The order n of G is the smallest integer n such that nG 
= 0, nis a large prime. 

h is the cofactor of the subgroup which is the ratio a = sided 


| P| order of elliptic curve defined over prime field Ep . 
h should be small h < 4, preferably, h =1 
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When two communicating parties are to communicate, each of them must have private and public keys. Each 
retain their private key while the public is made available to the public. Private key is generated by randomly 
selecting an integer from [1..n-1]. Public key is obtained by multiplying the generated private key Ka and 
point G with coordinates (x,y) on the elliptic curve together. The two communicating parties can therefore 
generate a shared secret key (SSK). For example, if Ks is the private key of the sender and Kr is the private 
key of the recipient. The public key of the sender will be spub = Ks *G and the public key of the recipient 
will be rpub = Kr *G. The sender and recipient can generate SSK as: sender: SSK = Ks * (Kr*G) and 
recipient: SSK = Kr * (Ks *G). 


3. REVIEW OF RELATED WORKS 

A lot of research works which exploited the strength of ECC to achieve various tasks of asymmetric 
cryptography like authentication, digital signature, key agreement and encryption had been carried out by 
various researchers in the past but gap has been found in the literature. An encryption scheme similar to 
Diffie-Hellman key exchange protocol but faster by around 20 percent was proposed by [24]. A text-based 
cryptography where ECC was used for transforming the message into ASCII values before mapping the 
transformed message to affine point on elliptic curve through point addition of the ASCII value times the 
Generator was proposed by [25]. The method adopted by some authors such as [26]-[28] where ASCII table 
was used to obtain the decimal value of each character of the message and then mapped each of the obtained 
decimal value directly onto point on elliptic curve are not only vulnerable to chosen plaintext attack (CPA) 
but also waste bandwidth during transmission of the message from sender to receiver. Other schemes that 
introduced manipulation of the ASCII table by multiplying it by a secure number that is agreed on by both 
parties [11] are vulnerable to man-in-the-middle attack (MIMA) because the issue of sharing the secure 
number is similar to the challenge of agreeing on the sharing of a secure key between the two parties. Again, 
the approach wastes bandwidth during transmission of the message from sender to receiver because each 
character is represented by a point on the elliptic curve. 

In [6], it is presented a message mapping and reverse mapping scheme that is based on grouping a 
fixed number of characters of the message before mapping. The ASCII value of each character in each group 
is converted to a binary value of 8 bits. These binary forms of each character in the group are concatenated 
together, and an integer value of the concatenated binary string is obtained and mapped to a point on the 
elliptic curve. In order to prevent non-mapping results, the authors proposed padding each set of characters to 
8 bits to add one bit each time the mapping failed to find a corresponding y value. Although this method 
saves bandwidth, the approach is vulnerable to CPA when the set of characters is equal. The author also 
employed the use of El-Gama for encryption of the mapped point, which requires that for each mapped point, 
two points on the EC form encrypted points. This encryption scheme is not efficient enough, as the 
transmission of two encrypted points per block requires more bandwidth. 

In an image encryption scheme using ECC proposed by [23], the encryption computation was 
reduced to pixel grouping into a single integer, where the number of pixels in each group is based on the 
ECC key size; and mapping of the grouped pixel to one large integer, which is then mapped to the elliptic 
curve. The performance of this scheme depends on the number of pixels that exist in one group. 
Significantly, a large number of pixels in one group decreases the computation overhead and, in this way, 
increases the performance. However, the number of pixels in one group depends on the key size, where large 
keys increase the pixel count. While this may be true, incrementing the key size leads to an increase in the 
encryption and decryption computation and storage overhead. As a result, the performance is affected in both 
cases. 

In [7] the use of block chaining operation was introduced into a mapping scheme in ECC. In this 
approach, the plaintexts to be mapped are divided into fixed blocks. Exclusive OR (XOR) operation is carried 
out between the first block and an initialization vector IV, the result of the first XORed value is used in the 
second XOR operation, and the process continues until all blocks are treated. Although the approach maps 
the message to distinct points on an elliptic curve, but it is vulnerable to CPA and CCA when the plaintext is 
divided into a set of blocks and all blocks are the same (e.g., the plain text is a repeated character i.e. blocks 
B1, B2, ..., Bn, where Bl= B2=...=Bn). The first XOR operation produces B1’ = InV @ B1, the second 
XOR operation results in the value of the InV as InV ® Bl’ © B2 =InV ® BI® B2=InV @ BIO Bl= 
InV. Therefore, the result of the XOR operation produces the sequence B’; , InV, B’:, InV, .... Moreover, the 
author is silent about how the initialization vector is to be securely shared among the communicating parties. 
The need to securely share Inv among the communicating parties makes the scheme vulnerable to MIMA. 

The authenticated encryption (AE) scheme proposed by [12] was proved to be secure against several 
encryption attacks, such as CPA, CCA, and malleability attacks. A proof of the resistance of the proposed 
scheme against specific encryption attacks and performance evaluation were carried out. The results of the 
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analysis and performance evaluation show that the proposed scheme outperforms the security of other 
schemes and maintains the same computational overhead. However, taking a critical look at the mapping 
scheme shown in Figure 2. 


Figure 2. Existing technique of resisting encryption attacks using cipher block chaining (CBC) [12] 


As presented by the author, the scheme failed to take into consideration a situation where an attacker 
tests the scheme with the plaintext that is divided into a set of blocks and all blocks are the same (e.g., the 
plain text is a repeated character). For instance, the vulnerability of the scheme stems from special cases 
when the plaintext blocks are equal such that B, = B, = Bz; = --: = B,. It often happens that the value send 
to the maping function is not altered. This means that the returned value from mapping is still the same value 
that was sent to the mapping function. This returned mapped value is then XORed with the next block 
B,which happen to be the same value as B, in such a case the following happen: 


B', = InV ® B, — map(B’',) — B™, 

B', = B™, ® B, — map(B’,) > B™, 

B'; = B™, ® B; — map(B'3) > B™; 

B', =B™; ® By — map(B'4) > B™, 

but B', = B™, 

B’, =InV @® B, = B™, 

B',=InV @B, ® B, = B™,, but B, = B, 
B', =InV ® B, ® B, = B™ 
« B', = InV = B™, 

B’,; =B™, @ Bs = B™s, but B, = B, = B; and InV = B™, 
: B's; = InV @® B, = B™3 

“B's = BY, = B™3 = B™, 

B',=B', OB, =B", 

B',=InV @B, @®B, =B™, 

B', =InV = B™, =B™, 


| 
w 
_ 


This sequence continues as B’, = B'; = B’; = B', =-- and B’, = B', = B', = B’,g = **: so also B™, = 
B™,=B™, =B™, =- and B™, = B™, = B™, = B™g=... 

Hence, under this condition, the scheme is vulnerable to CPA and chosen ciphertext attack (CCA). 
Again, CBC applied in the scheme uses an initialization vector that must be generated at random. This 
initialization vector must be harmonized between the transmitting and receiving correspondent for correct 
decryption. There must be a secure way of doing this if the security of the data is not going to be broken. This 
makes the technique to also vulnerable to MIMA. 


4. METHOD 

Obviously, from the reviewed literature, it can be established that existing implementation of ECC 
are suffering from different cryptanalysis attacks. The enhancement done by [12] suffers from CPA and CCA 
because of the condition analyzed in the literature review. There are two identified deficiencies; i) the 
vulnerability to MIMA, and ii) the vulnerability to CPA and CCA. 

The first problem is solved by making use of the SSK for the production of the seed that can be used 
for the production of initialization vector. Since both the sender and recipient can generate it independently 
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without having to transmit anything using any channel, the problem of MIMA is solved. The second problem 
is solved by XORing InV with B1, map the result to point on elliptic curve and encrypt the mapped point to 
obtain B°,. To encrypt B2, the x coordinate of the encrypted point B°, is XORed with B2, the result is 
mapped to point on elliptic curve and the mapped point is encrypted to obtain B®. This process is repeated 
until all the blocks are mapped and encrypted. This process works because the encrypted B1 disorganizes the 
pattern that make XOR vulnerable to the above analysis such that when it is XORed with B2 an entirely new 
value is generated and no XOR function can be used to trace it back to InV. Figure 3 illustrates how these 
feet are achieved in the improved authenticated elliptic curve cryptosystem (IAECC) scheme. By this 
process, the vulnerability to cryptanalysis attack is greatly reduced as cryptanalysts have to solve ECDLP 
before any attack can be lunched. 


Generate Seed 
for generating 
InV 


Figure 3. Securing blocks against encryption attacks using CBC in IAECC 


The encryption algorithms for the [AECC is given in Algorithm 1. The encryption process requires 
the plaintext, the elliptic curve name, the sender’s private key and the recipient public key. 


Algorithm 1: IECC Encryption Process 
Module encryption (plaintext, curvename, rpublickey, sprivatekey) 
Input: Plaintext: the text to be encrypted, rpublickey: publickey key of the recipient 
Sprivatekey: private key of the sender, N: number of bits to be reserved for 
mapping block to 
Points, curvename: standard elliptic curve name sent from recipient 
Output: Cm: array of Encrypted points on the elliptic curve 
1. START 
curve = Obtain elliptic curve using curvename 
nbits = obtain curve order and convert it to binary form 


COMPUTE blocksize = FLOOR (~~) 
LENGTH (plaintext) 


COMPUTE ssk = sprivatekey * rpublickey 
COMPUTE diff = ABS (ssk.x - ssk.y) 
. COMPUTE encseed = MOD (diff, 2%) 
9. COMPUTE Inv = RANDOM (encseed, blocksize) 
10. LET j = 1 
11. INITIALIZE Array cm 
12. FOR i = 1 TO nblocks (taken blocksize characters at a time) 


2 
) 
4 
5. COMPUTE nblocks = ; 
blocksize 
6 
7 
8 


Ds LET block = plaintext (j to j + blocksize -1) 
ii. LET j = 3 + blocksize 
Regt ae block = CONVERT block to binary form 
LV nv = CONVERT Inv to binary form 
Vv. block = XOR (block, Inv) 
vi. LET X = CONVERT block to integer 
Vil. LET d = X * 16 
viii. LET Pm = CALL blockmapping(d, curvename) 
ix. LET C2 = Pm + ssk //C2 is a point (x,y) on the elliptic curve 
x Cm[i] = C2 
x1 nv = CONVERT C2.x to binary form 
xii. nv = Inv [1..blocksize] 
END FOR 
13. signedCm = CALL Appendsignature (Cm) 


STOP 
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Algorithm 1 makes use of mapping function whose algorithm is described in Algorithm 2. This mapping 
function modifies the numerical value X of the block of plaintext to ensure that the point (X,Y) satisfies the 
equation Y* = (X3 + aX + b)MOD P. When all the blocks that were mapped unto points on the elliptic curve 
are encrypted the encrypted points are signed by the sender using the module Appendsignature whose 
description is given in Algorithm 5. Both the signature and the signed encrypted points are transmitted to the 
recipient. 


Algorithm 2: Algorithm for mapping a block of characters to a point on the Elliptic curve 
Module mapoint = blockmapping (X, curvename) 
INPUT: X an integer representing a block of ASCII characters. 
OUTPUT: A point (x,y) on the Elliptic curve curve(a,b) corresponding to the Message block 
1. START 
2. SET solution = FALSE 
a. WHILE solution = FALSE 
i. FIND Y from the equation Y* = (X?+aX+b)MODP 
ii. IF Y does not have solution THEN X = X + 1 
ELSE solution = TRUE 
ENDIF 
ENDWHILE 
3. RETURN point with coordinate (X,Y) 
STOP 


4.1. IAECC decryption process 

The decryption process is just the exact reverse of the encryption process. The first operation to be 
performed is the verification of the signature by the recipient. The description of the signature verification 
algorithm is given in Algorithm 3. If the signature is verified to be valid, then the decryption process will be 
carried out otherwise invalid error message will be displayed and the program come to a halt. Figure 4 
illustrates how decoding and conversion of the decrypted points into a plain text is achieved and Algorithm 4 
gives the description of the decryption process in the proposed IAECC. 


Generate Seed 


for generating 
Inv 


b------ G) 


plaintext block 1 plaintext block 2 plaintext block n 


Figure 4. Reverse mapping scheme in proposed IAECC 


Algorithm 4: Decryption process in proposed IECC 
Module Message = Decryption(cm,curvename,spub, rpriv) 
Input: cm: List of encrypted points, curvename: name of the curve used, spub: Sender’s 
public key, 
rpriv: recipient’s private key, signature: Sender’s signature of the encrypted 


message 
Output: Plaintext: decrypted text obtained from Cm 
1. START 


2 GET Cm and signature 
3. Msent = CONCATENATE (Cm, Signature, spub) 
4. cCmvalidity = CALL Verifysignature (Msent,signature, PA) ) 
5 IF Cmvalidity = TRUE THEN 
iL. GET order N of the curve using the curvename 
Lis GET rpriv 
iii. | COMPUTE blocksize = FLOOR(~=*) 
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iv. COMPUTE nblocks = LENGTH (cm) 
Vv. COMPUTE ssk =  spub * rpriv //shared secrete 
vi. COMPUTE diff = ABS(ssk.x - ssk.y) 
vil. COMPUTE encseed = MOD(diff, 2%?) 
viii. COMPUTE Inv = RANDOM(encseed, blocksize) 
i a Message = EMPTY STRING 
ba FOR i = 1 to nblocks 
i. C= Cm[i] 
ii. LET ivs = C.x 


iii. Pm =C - ssk 
iv. x = Pm.x//16 
v. block = XOR(x, Inv) 
vi. Message = CONCATENATE (Message, block) 
vii. Inv = ivs 
END FOR 
ELSE 


1) 


SPLAY (“Error message”) 
6. STOP 


4.2. Authentication of IAECC encryption and decryption processes 

If the message being transmitted between communicating parties will not compromise its 
confidentiality, security and integrity, authentication encryption scheme must be applied. In authentication 
encryption scheme, confidentiality is maintained by the encryption and decryption phases of the scheme. In 
order to maintain the integrity of the message being transmitted in authentication encryption scheme, the 
sender must sign the message using his/her private key and the recipient should verify the received message 
using the public key of the sender before decryption. 


4.2.1. IAECC signing process 

In the developed IAECC, the sender signs the message Msent using his/her private key ds, which 
relies on elliptic curve digital signature algorithm (ECDSA), before sending it to the recipient through public 
channel. Msent consists of a set of tuples, which contains points on the elliptic curve used in the 
cryptosystem. Each point C; represents the encryption point for each block of the message being transmitted. 
The signing process is illustrated in Figure 5 and Algorithm 5 gives the description of the algorithm for 
signing process. 


block 1 block 2 block n 
Cy C2 Ch 
J 1 | ] 


Set of encrypted points (Msent) 


e = HASH(Msent) 
k = randomly generated intger 
d, = sender's private key 
p = big prime number (selected curve field 
characteristics) 
z = left most p bits ofe 
(x,y) =k*G 
c= xmodp 
d=(z+d,"c)"k" 
Signature = (c,d) 


Figure 5. Ensuring the Integrity of message by sender’s signature 


Algorithm 5: Process of Signing the message 
Module appendsignature (Msent) 
Input: The Message Msent 
Output: Signature pairs (c,d) 
1. calculate e = HASH (Msent) ; 


2. calculate z = le f t most p bits o fe 
3. select random value k 

4. calculate (x, y) =k x G 

5. calculate c = x mod p where r # 0 

6. If c = 0 go to 3 

7. calculate d = (z + ds * r) k -1 

8. If d= 0 go to 3 

9. (c,d) «— ciphertext signature 

10°. Stop: 
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4.2.2. IECC verification process 

The receiver of a signed message verifies it using the sender’s public key. The verification process 
is illustrated in Figure 6. Algorithm 6 outlines the steps involved in verifying the integrity of the received 
message using the sender’s public key. 


Msent. Senderpublickey, signature(c,d) 


J 


p = big prime number (selected curve field characteristics) 
Verify signature (c,d) are integers in range (1 to p -1) 
Calculate e = HASH(Mcent) 

z = leftmost p bits of e 
u1 = zd"! mod p 
u2 =cd-' mod p 
(x,y) = u1*G + u2*senderpublickey 
verify c= x mod p 


Figure 6. Recipient verifies the received message 


Algorithm 6: Recipient Verification of a Signed message 

Module Verifysignature (Msent,signature, senderpublickey) 
Input: Msent, Signature (c,d), senderpublickey 

Output: Verified ciphertexts 


Ly. Start 

2. check (c,d) are integers € 1, 2, 3, ..., p - 1) 
3. calculate e = HASH (Msent) 

4. calculate z = leftmost p bits of e 

5. calculate ul = ed? mod p 

6. calculate u2 = rd‘ mod p 

7. calculate (x, y) = ul * G + u2 * senderpublickey 
8. Verified «+ c = x mod p 

Stop. 


5. RESULTS AND DISCUSSIONS 

The results of the security analysis, comparative security analysis and comparative performance 
analysis of IAECC with the existing ECC implementations are discussed in this section. The results of the 
security analysis of IAECC are based on indistinguishability, malleability and replay attacks. Comparative 
security analysis with the existing ECC scheme is based on mapping scheme used by each scheme and 
resistance of each scheme to different security attacks. Encryption/decryptime, throughputs and energy 
consusmption are used as metrics for comparative performance analysis of IAECC with the existing ECC. 


5.1. Security and performance analysis of IAECC 
5.1.1. Security analysis based on indistinguishability 

Security in terms of indistinguishability is normally presented as a game, where the cryptosystem is 
considered secure if no adversary can win the game with significantly greater probability than an adversary 
who must guess randomly. A cryptosystem is considered” secure in terms of in distinguishability” if no 
adversary A, given an encrypted form of a message randomly chosen from a two-element message space 
determined by the adversary, can identify the message choice with probability significantly better than that of 
random guessing (1/2). If any adversary can succeed in distinguishing the chosen ciphertext with a 
probability significantly greater than 1/2, then this adversary is considered to have an advantage in 
distinguishing the ciphertext, and the scheme is not considered secure in terms of in distinguishability. 
Various form of indistinguishability against different forms of attacks are denoted [29]: Indistinguishable 
under chosen plaintext attack (IND-CPA), Indistinguishable under chosen ciphertext attack (IND-CCA), 
Indistinguishable under non-adaptive chosen ciphertext attack (IND-CCA1), Indistinguishable under adaptive 
chosen ciphertext attack (IND-CCA2), and Indistinguishable authenticated adaptive chosen ciphertext attack 
(IND-CCA3) [30]. While IND=CPA can only provide guarantee against passive security attacks, IND-CCAs 
are capable of providing security guarantee against active security attacks [31]. Any cryptography scheme 
that is evaluated against IND-CCA3 means that it is also verified against IND-CCA2, IND-CCA1, and IND- 
CPA [4]. Therefore, IAECC is verified against IND-CCA3. 

Formally, the IND-CCA3 advantage measure is defined: 
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Given adversary A, and an oracle encryption scheme]] = (k, €, D), the advantage measure of IND-CCA3 is 
defined by (4): 


aul ces (A) = Pr|K ha yw: AEKOPKO 3 1| eS Pr[AEKGI1LO => 1] (4) 


Where Aduyy? ~€C43((A4) is a measure of adversarial advantage of IND-CCA3, in [32] showed that every 
encryption scheme meeting the IND-CCA3 notion also meets both the IND-CPA notion and the AUTH 
notion and vice versa. The AUTH notion guarantee the security of ensuring the integrity of ciphertext. 
Formally, the measure of adversarial advantage of IND-CPA and AUTH are defined by (5) and (6) 
respectively. 


$ 
AdviND-CPA(A) = Pr [ 2 i HeRO es 1| — Pr[AeKGl) > 1] (5) 
$ 
Advyi""(A) = Pr IK ex: AKO forges| (6) 


Equation (6) can be recast as an experiment in which the adversary, given an Ex (-) oracle, attempts to 
distinguish between a real decryption oracle and a bogus decryption oracle that returns Invalid on every input 
ciphertext. This recast can be represented by the (7) 


$ 
Advji""*(A) = Pr IK — x: AKKOPKO > 1| — Pr[A&KO+0 = 1] (7) 
Equation (4) can be rewritten in terms of (5) and (7): 


Adv? S43 (A) = Pr Ke: AEKODKO = 1| = Pr[A&KGH)10 > 1] 


= (Pr [K< we AKKODEO = 1| — pr[A&KOLO = 1)) + (PrlA&O40 = 1) — prfA®t40 = 1]) 


Let BI and B2 be the two adversaries capable of AUTH and IND-CPA respectively, then the measure of 
adversarial advantage Adv; P~CCA3 (4) can be measured in terms of the adversarial advantage of B1 and B2. 


Advjy?-°°43 (A) = Advy*"*(B1) + Advy?~P4(B2) (8) 


IAECC is evaluated against IND — CCA3 in this research. A cryptosystem is said to be secure under IND — 
CCA3 if the adversarial advantage Advy’?~°°4? (A) is negligible. The game for IND-CPA and IND-CCA is 
simulated in order to verify whether or not IAECC is IND-CCA3. 

a. IND-CPA: the game 0 in Table 2 gives distinct value of encrypted points for each block. Table 3 and 
Table 4 show the results of the encryption of two blocks that contains the same value. In each case it 
can be seen that. each time the attacker submits the same messages (mj,j, mj;;) IAECC encryption 
oracle returns (Cj; # Cj41,). This shows that the attacker will find it very difficult to find out which 
ciphertext belongs to which plaintext even with the samples of plaintext/ciphertext pair. This is because 
the mapping between plaintext block and ciphertext block is not one-to-one mapping. 

b. IND-CCA: Table 5 shows a block of plaintext mpg and how it was encrypted using IAECC with 
appended signature. In Table 6, the encrypted point is modified by XORing the iv with a random value 
R to obtain a modified encrypted point. This modified encrypted point was then submitted for 
decryption but IAECC decryption returns an error message. This prevents the attacker from having the 
opportunity to compare modified point with the encrypted point in Table 5. Hence the attacker cannot 
win the game. 


Table 1. IND-CPA game 0 


Mio M1: 3333333333333333333333344444444444444444444444 


i Mip b Cib 

1 =. 33333333333333333333333 0 (1097748 1 1440796698660587370374846769 1 82946033877059 1897237, 
424040601 1 164217225030410622972769495523064509 1 11595973836 ) 

2 44444444444444444444444 1 (290540873909340287 863705949737 128757077 162561433489 1806504, 


3821259 1023812113891424307894263369157219062402794589 18383 ) 
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Table 2. IND-CPA Game la 


Mio,Mjo: 3333333333333333333333333333333333333333333333 
Mib b Cib 
33333333333333333333333 0 ( 1097748 1 1440796698660587370374846769 1 82946033877059 1897237 , 
424040601 1 164217225030410622972769495523064509 1 11595973836 ) 
33333333333333333333333 1 ( 2449612076858759344596169117205506126915740111109049671270 , 


1876668022 142370300698035327836552245714157263410117886939 ) 


Table 3. IND-CPA Game 1b 


Mi1,Mi a: 444 44d4dd4d44detd4tta data tea ta ea de ddd 
i Mi p b Ci 
1 44444444 44444444 44gddg4 0 (34825 1943277435376352924861956203 19109479348493259 19717209, 
455029480295 140449 10940464447 13769726958573788939094842781 ) 
2 44444444 44444444 4444444 1 (300676082438638294 1774675 14487098 1847 12090594949666097 1403, 


3773 187468547889 137 107325909042525720566923649883216749471 ) 


Table 4. IND-CCA Game 0 
Mo 33333333333333333333333 
Co, iv, sign Ox2cc5066bb6eb20a4ca01£22882f225305fb94 12b8d2c56950x0', 
ECDSASignature(c=309 16387482 16676367 1447101015528 19383424206014947390681713, 
d=267271771874985505575 13850327047 13632596933926364840628833) 


Table 5. IND-CCA Game | 
Co, VOR, sign 'Ox2f07b82f948bff8cc7c7af2c962 | 1b423584244720d7£0000x0', 
ECDSA Signature(c=309 16387482 16676367 1447 10101552819383424206014947390681713, 
d=267271771874985505575 13850327047 13632596933926364840628833) 
mp @R < dec(k, Co, iv@®R, sign) Error message: invalid ciphertext 


The adversaries B1 B2 could not win IND-CPA and IND-CCA games respectively. i.e. Advi’ PAB 2 = 
0 and Advjj‘“"*(B1) = 0, this implies that Advj!?~°°43 (A) = Advg™ + Advi’? °P4(B2) =0+0= 
0, hence, IAECC is IND-CCA3. 


5.1.2. Security against malleability attack 

An encryption algorithm is said to be malleable if an adversary can transform a cipher-text into 
another ciphertext which decrypts to a related plaintext. That is given an encryption of a plaintext m, it is 
possible to generate another ciphertext which decrypts to f(m), for a known function f, without necessarily 
knowing or learning m. Malleability attack is a type of cryptanalysis attack where modification of encrypted 
data result in modification to decrypted message. With this attack, an attacker can give misleading 
information to the recipient without the knowledge of the sender. A good cryptosystem should be non- 
malleable. Table 7 shows sample of output when a sample plaintext was encrypted using I[AECC encryption 
module and an attempt is made to decrypt the modified encrypted data. 


Table 6. Results of malleability attack test 
plaintext 88888888888888888888888 
Ciphertext ['Ox8£85de8b5a6d730f222c74e9ef7b8 1 89f03633f9bbd6c2f70x0', 
ECDSA Signature(c=309 16387482 16676367 1447 10101552819383424206014947390681713, 
d=6219317751763 166908 1892678935 1489873483 157764012435327223)] 
Modified ciphertext ['0x53£9 1632bc6bcf268d444e70dc82847590fc036f5d37 1 8f40x0', 
ECDSA Signature(c=309 16387482 166763671447 10101552819383424206014947390681713, 
d=6219317751763 166908 1892678935 1489873483 157764012435327223)] 
Results of attempted decryption invalid ciphertext 
of modified ciphertext 


As can be seen from Table 7. IAECC gives an error message stating that the ciphertext is invalid. 
This result shows that IAECC is non-malleable. 
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5.1.3. Security against replay attack 

A replay attack occurs when a cybercriminal snoops on a secure network communication, intercepts 
it, and then illegally delays or resends it to mislead the recipient into doing what the hacker wants. 
Figure 7(a) illustrates the adversary’s capability of carrying out replay attack. To prevent the possibility of 
hacker’s capability of carrying out replay attack in IAECC, both sender and receiver establish a completely 
random session key for each communication session. This means that no two sessions can use the same 
session key because session key will only be valid for one transaction and can't be used again. As the 
adversary need to establish new session key for resending the intercepted message and does not have access 
to new parameters which are needed for generating valid new session key only the old session key which is at 
the attacker’s disposal becomes invalid. This invalid session key will make the signature invalid, hence the 
recipient will ignore the message. Figure 7(b) illustrates how IAECC prevents replay attack. 


m 7 ci = E(k,mi) 
@)) Cj= mt + 2 


Recipient 


| ci = E(k,mi) pA 


Adversary/Attacker 
A: Adversary capability to perform replay attack 


al 
' ) <«__Ci=(signature, Msent, ssk) | € 


sender 


sender 


| | Ci =(signature, Msent, ssk) ® 


invalid message -L 7 


Adversary/Attacker 


B: IECC resistance to replay attack 


Figure 7. Security against replay attack (a) Adversary capability to perform replay attack and (b) IAECC 
resistance to replay attack 


5.1.4. Comparative security analysis of IAECC with existing ECC schemes 
A. Comparison based on mapping schemes 

Table 8 shows the results of the experiment. In [6] scheme mapped all the four blocks to the same 
point. In [12] mapped the four blocks to two different points. The mapping scheme in the developed [AECC 
however mapped each of the four blocks to different point on the elliptic curve. 


Table 8. Comparison of existing mapping schemes with mapping schemes used in IECC 
Plaintext: 33333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333 


[6] [12] IAECC 
[[784637716923335095479473677900 — [[234909357196134779598588069035159 — [[20686706978545444595443045279 
95830201279443055800431409,85774 — 257665464553386283487730, 122899342801 4594458238323123, 
095997 1287332615284443694443093 204948373813 1415669402416949556232 9920775885157922303737053531 73 
4097884 1013586287867], 1124330980059085692 12143], 608652754090981 423936289006], 
[7846377 169233350954794736779009 —[261255418896268268888484702383731 [19639389190147561121898299323807 
583020127944305580043 1409, 671238373571228463456961, 014805 1292206840703 100562, 
485774095997 1287332615284443694 1699538033850443143676848815372268 = 385692710925472437727620248 108422 
4430934097884 1013586287867], 696579123829363961918060], 33650798 18205547885883432], 
7846377 169233350954794736779009 [234909357 196134779598588069035 159 [37544631019679213631330991209 
583020127944305580043 1409, 257665464553386283487730, 6594836626453316948075710704, 
485774095997 1287332615284443694 2049483738 131415669402416949556232  206615009136294286283176649312 
4430934097884 1013586287867], 1124330980059085692 12143], 1507846165941885050229288074], 
[7846377 169233350954794736779009 —[261255418896268268888484702383731 [38263204739887138018468286236658 
583020127944305580043 1409, 671238373571228463456961, 9750523673013967407939043, 
485774095997 1287332615284443694 1699538033850443143676848815372268 —117806438459723307853688319433121 
4430934097884 1013586287867] 696579123829363961918060]] 4114919458199138510389243]] 
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These results show that the mapping scheme in IAECC enables the scheme to be IND-CPA and IND-CCA 
which the existing systems are not. 


B. Comparative security analysis of IAECC with existing ECC cryptosystem 

Table 9 shows the results of the comparative security analysis of IAECC with the other existing 
ECC schemes. Comparison was carried out on the selected schemes based on whether the scheme is/is not 
IND-CCA3, resistance to malleability attack (MA), checking the integrity of the ciphertext (IT), offering 
authentication encryption (AE), or offering nonrepudiation (NR), is resistant to MIMA. Y and N represents 
YES, NO respectively. Yes, means that the scheme is offering the feature in question, NO means that the 
scheme is not offering the feature. The comparison in Table 9 shows that IAECC offers resistance to different 
cryptanalysis attacks as well as offering authentication encryption and non-repudiation. 


Table 9. Security analysis comparison of proposed scheme and other schemes 


ECC schemes IND-CCA3 MA IT AE NR MIMA 

[33] N N N N N N 

[7] N N N N N N 

[6] N N N N N N 

[34] N N N N N N 

[28] N N N N N N 

[35] N N N N N N 

[12] N Y Y Y Y Y 
IAECC Y Y Y Y Y Y 


5.1.5. Comparative performance analysis of IAECC 

The two enhancements done to [12] that brought about the proposed IAECC are: the introduction of 
the generation of initialization vector (InV) and modification of the mapping scheme as earlier explained. 
The purpose of these enhancements are to solve the problem of how the initialization vector is to be securely 
shared among the communicating parties and also to improve resistance to encryption attacks. It is therefore 
necessary to check if these enhancements have negatively affected performance. Therefore, the performances 
of the developed IAECC scheme are compared with existing schemes using encryption/decryption time, 
throughput, and energy consumption during encryption and decryption processes as performance metrics. 

Three schemes were selected for comparative performance analysis based on the above perfomance 
metrics. Each of the three chosen schemes is a representation of three different groups: [6] represents the 
group of schemes that do not apply Inv or any other methods to manipulate mapping points, [12] represents 
the groups that uses InV and apply CBC mode at mapping level while IAECC represents the group that uses 
InV and apply CBC at the end of encryption. An experiment was set up to measure the encryption/decryption 
time of MCC key security process using timer built into the IAECC cryptosystem application. Different 
plaintext sizes (in bytes) were encrypted and decrypted. When a particular is presented, the encryption and 
decryption processes are carried out 10 rounds. In each round, the time taken for the encryption/decryption to 
complete is measured. These 10 different measured time were added together and the average time was taken 
as the encryption/decryption time. This procedure was used for each of the three schemes that were selected 
for the performance comparison. For the calculation of encryption and decryption throughputs, the formulae 
in (9) and (10) were used. 


Data size 


Encryption Throughput = (9) 


Time taken to encrypt the data 


Data size 


Decryption Throughput = (10) 


Time taken to decrypt the data 


In order to calculate the energy consumption by the system during encryption/decryption processes, 
the approximate average current consumption of the laptop used for the experiment when it is busy and the 
CPU voltage were both collected from manual of the hp laptop used in conducting the experiment. The 
average current consumption I is 100mA while the CPU voltage V.< is 1.25v. The Energy consumption E in 
Joule (J) of the laptop used for the experiment during encryption/decryption of different key sizes were 
calculated using the formula: E = V,, xX IXT, where T represents encryption/ decryption time. Twenty 
different data sizes were used, the data sizes in byte, the encryption time and decryption time obtained from 
the experiment as well as calculated encryption throughput, decryption throughput, power consumption 
during encryption and power consumption during decrption for each data size. 
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In order to ascertain the effects of changing the sizes of keys on the encryption/decryption time, 
throughput and energy consumption during encryption and decryption processes on the schemes under 
consideration, average encryption/decryption time, throughput and power consumption during 
encryption/decryption processes were calculated and compared. 

Table 10 shows the recorded encryption and decryption time during the experiment when different 
key sizes were encrypted and decrypted using three different ECC schemes. Average encryption and 
decryption time is calculated as shown in Table 11. Table 12 shows the calculated encryption and decryption 
throughputs for the three ECC schemes under consideration. The energy consumption during encryption and 
decryption processes for each of the three ECC schemes are shown in Table 13. Although the corresponding 
encryption and decryption time in Table 10 appear to be the same for the three schemes for each data size, 
there is variation in the values when the number of decimal places is considered. This explains the reason 
why the average encryption/decryption time calculated are not the same for the three schemes under 
consideration. 


Table 10. Encryption and decryption time of three ECC schemes with different data sizes 
Encryption and Decryption time (s) 


Sengupta Almajed IECC 
S/N___ Datasize(byte) Encryption Decryption Encryption Decryption Encryption Decryption 
1 115 0.389078 0.483301 0.389078 0.483301 0.389078 0.483301 
2 230 0.434338 0.518787 0.434338 0.518787 0.434338 0.518787 
3 345 0.465585 0.559502 0.465585 0.559502 0.465585 0.559502 
4 460 0.519219 0.602797 0.519219 0.602797 0.519219 0.602797 
5 575 0.560923 0.626595 0.560923 0.626595 0.560923 0.626595 
6 690 0.606371 0.673110 0.606371 0.673110 0.606371 0.673110 
7 805 0.646975 0.707926 0.646975 0.707926 0.646975 0.707926 
8 920 0.689171 0.740678 0.689171 0.740678 0.689171 0.740678 
9 1035, 0.724982 0.779279 0.724982 0.779279 0.724982 0.779279 
10 1150 0.766760 0.823967 0.766760 0.823967 0.766760 0.823967 
11 1265 0.810980 0.853082 0.810980 0.853082 0.810980 0.853082 
12 1380 0.856045 0.887785 0.856045 0.887785 0.856045 0.887785 
13 1495 0.903110 0.926059 0.903110 0.926059 0.903110 0.926059 
14 1610 0.939079 0.965609 0.939079 0.965609 0.939079 0.965609 
15 1725 0.990609 0.998431 0.990609 0.998431 0.990609 0.998431 
16 1840 1.028811 1.033914 1.028811 1.033914 1.028811 1.033914 
17 1955, 1.080697 1.078274 1.080697 1.078274 1.080697 1.078274 
18 2070 1.167239 1.161422 1.167239 1.161422 1.167239 1.161422 
19 2185 1.279685 1.268402 1.279685 1.268402 1.279685 1.268402 
20 2300 1.226619 1.214720 1.226619 1.214720 1.226619 1.214720 


The bar chart in Figure 8 represents the information in Table 11. The bar chart shows that the 
encryption and decryption time for the three ECC schemes are approximately the same. This result implies 
that the modification done in IAECC does not make its encryption and decryption time higher than that of the 
existing ECC schemes. 
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Figure 8. Comparative analysis of encryption/decryption time of ECC schemes 
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Table 11. Average encryption and decryption time of three ECC schemes 
Average Encryption and Decryption Time (s) 


S/N scheme Sengupta Almajed IAECC 
1 Encryption 0.804314 0.827877 0.829769 
2 Decryption 0.845182 0.865534 0.865895 


The bar chart in Figure 9 represents the information in Table 12 where the encryption and 
decryption throughputs of the three ECC schemes were compared. As can be seen, the encryption and 
decryption throughputs of the three schemes are approximately equal. This result implies that the 
modification in IECC does not make its encryption and decryption throughputs lower than the encryption and 
decryption of the existing ECC schemes. 
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Figure 9. Comparative analysis of encryption/decryption throughput of ECC schemes 


Table 12. Average encryption and decryption throughputs of three ECC schemes 
Average Encryption and Decryption Throughput (byte/s) 


S/N scheme Sengupta Almajed IAECC 
1 Encryption 1367.911 1327.398 1322.962 
2 Decryption 1307.233 1275.503 1273.339 


Figure 10 represents the information in Table 13 where the encryption and decryption energy 
consumption of the three ECC schemes were compared. The results in the Figure 9 reveals that the energy 
consumption of the system during encryption and decryption are approximately equal. This result implies 
that the modifications in IECC does not make the energy consumption of IECC higher than the energy 
consumption in the existing ECC schemes. 
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Figure 10. Comparative analysis of encryption/decryption energy consumption of ECC schemes 
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Table 13. Average encryption and decryption energy consumption of three ECC schemes 
Average Encryption and Decryption Energy Consumption (J) 


S/N scheme Semgupta Almajed IAECC 
1 Encryption 0.100539 0.103485 0.103721 
2 Decryption 0.105648 0.108192 0.108237 


6. CONCLUSION 

In this study, flaws in the existing implementation of ECC schemes are identified. A new scheme is 
created to address the flaws. This study also undertook a security analysis to present a proof for the resistance 
of the developed scheme against specific encryption attacks. Additionally, the study conducted a 
performance evaluation to compare the impact of the security enhancements of the proposed scheme on 
encryption and decryption times, throughput, and power consumption with those of other schemes. The 
experimental results of the security analysis show that IAECC is resistant to the security flaws that the 
existing systems are vulnerable to. Again, the results of the comparative performance analysis of IAECC 
with other systems show that the IAECC scheme performed just as well as the other schemes, with no 
noticeable increase in computation overhead. So, IAECC is more secure than the existing schemes while 
keeping the same amount of work to do. 
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